Method and apparatus for symmetric-key encryption

ABSTRACT

The present invention provides a symmetric-key cryptographic technique capable of realizing both high-speed cryptographic processing having a high degree of parallelism, and alteration detection. The present invention performs the steps of: dividing plaintext composed of redundancy data and a message to generate a plurality of plaintext blocks each having a predetermined length; generating a random number sequence based on a secret key; generating a random number block corresponding to one of said plurality of plaintext blocks from said random number sequence; outputting a feedback value obtained as a result of operation on said one of the plurality of plaintext blocks and said random number block, said feedback value being fed back to another one of the plurality of plaintext blocks; and performing an encryption operation using said one of the plurality of plaintext blocks, said random number block, and a feedback value obtained as a result of operation on still another one of the plurality of plaintext blocks to produce a ciphertext block.

CROSS REFERENCE TO RELATED APPLICATIONS

[0001] This application claims priority from Japanese Patent ApplicationReference No. 2000-070994, filed Mar. 9, 2000, and No. 2000-210690,filed Jul. 6, 2000, the entire contents of which are hereby incorporatedby reference.

[0002] This application is related to U.S. Ser. No. 09/572,790, filedMay 17, 2000 entitled “CRYPTOGRAPHIC APPARATUS AND METHOD”, havingSoichi Furuya and Michael Roe listed as inventors, the entire contentsof which are hereby incorporated by reference.

BACKGROUND OF THE INVENTION

[0003] The present invention relates to a technique for ensuringsecurity of confidential information.

[0004] Cryptographic processing apparatuses proposed so far employ ablock cipher or a stream cipher for concealing data. Various types ofblock ciphers have been proposed including DES and IDEA. DES and IDEAare described in the following reference.

[0005] Reference 1: Menezes, van Oorschot, Vanstone, Handbook of AppliedCryptography, CRC Press, 1996, pp. 250-259, pp. 263-266.

[0006] The security of the total cryptographic process of each blockcipher and its characteristics are discussed based on a block-cipheroperation mode employed, such as ECB, CBC, CFB, OFB, or the countermode. However, only the iaPCBC mode is known to be capable of performingboth cryptographic processing and detection of an alteration at the sametime, and other modes cannot detect alterations by themselves.Block-cipher operation modes are described in the following reference.

[0007] Reference 2: Schneider, Applied Cryptography, Second Edition,John Wiley & Sons, Inc., 1996, pp. 189-209.

[0008] The iaPCBC mode is described in the following reference.

[0009] Reference 3: Gligor, Donescu, “Integrity-Aware PCBC EncryptionSchemes,” Preproceedings in Secure Protocol Workshop, Cambridge, 1999,to appear in Lecture Notes in Computer Science series, Springer-Verlag.

[0010] The iaPCBC mode is an operation mode which uses a block cipher.Regarding encryption, the iaPCBC mode can perform neither parallelprocessing nor preprocessing, which makes it very difficult to implementthe iaPCBC mode in the environment in which processing at extremely highspeed is required.

[0011] On the other hand, there is a system which generates acryptographic checksum called a “message authentication code”(hereinafter referred to as “MAC”) in order to detect alterations. Byimplementing a MAC generation process as an independent mechanism, andexecuting the process during cryptographic processing in one of theabove block-cipher operation modes, it is possible to perform bothcryptographic processing and detection of an alteration at the sametime. In this case, however, it is necessary to share two completelyindependent cryptographic keys, one for encryption and the other foralteration detection, and, furthermore, data to be encrypted must beprocessed twice, that is, for encryption and for MAC generation. As aresult, a realized cryptographic system may be complicated or may not besuitable for processing data having an extended length. In addition, theprocessing speed of the block cipher is slower than the currentcommunication speed, which means that it is difficult to apply anytechnique using a combination of the block cipher and MAC to processingof the order of gigabit-per-second or terabit-per-second. MAC isdescribed in the following reference.

[0012] Reference 4: Menezes, van Oorschot, Vanstone, Handbook of AppliedCryptography, CRC Press, 1996, pp. 352-368.

[0013] In contrast with the block cipher, a stream cipher is anencryption mechanism which uses one of various proposed cryptographicpseudorandom number generators. The stream cipher was not able to detectalterations by itself regardless of security or characteristics of eachimplementation. Well-known stream ciphers, or pseudorandom numbergenerators used for stream ciphers include SEAL, a linear feedback shiftregister using a nonlinear combination generator, a linear feedbackshift register using a nonlinear filter, and a clock-controlled linearfeedback shift register. SEAL is described in the following reference.

[0014] Reference 5: Schneider, Applied Cryptography, Second Edition,John Wiley & Sons, Inc., 1996, pp. 398-400.

[0015] On the other hand, systems based on the above feedback shiftregisters are described in the following reference.

[0016] Reference 6: Menezes, van Oorschot, Vanstone, Handbook of AppliedCryptography, CRC Press, 1996, pp. 203-212.

[0017] A technique using a combination of a stream cipher and a MAC canalso perform both cryptographic processing and detection of analteration at the same time, and, furthermore, processing of a streamcipher is 2 to 20 times faster than that of a block cipher. However, asis the case with the combination of a block cipher and MAC, every MACgeneration system (meaning every combination of a stream cipher and MAC)requires sharing of two different keys, and processing of a messagetwice. When considered in detail, the MAC generation system requires aparticular mechanism in addition to that necessary for the stream cipheritself, and considerable computational complexity. For example, MACgeneration systems such as HMAC and UMAC require a safe hash functionhaving guaranteed cryptographically-collision-free one-waycharacteristics. This means that it is necessary to implement the abovesafe function in addition to a stream cipher. HMAC is described in theabove Reference 4 (pp. 355, Example 9.67) while UMAC is described in thefollowing reference.

[0018] Reference 7: Black, Halevi, Krawczyk, Krovetz, Rogaway, “UMAC:Fast and Secure Message Authentication,” Advances in Cryptology,—CRYPTO'99 Lecture Notes in Computer Science, Vol. 1666, Springer-Verlag, 1999.

[0019] Generally, however, hash functions such as SHA-1 and MD5 are verycomplicated, and are not easy to implement. These hash functions aredescribed in the following reference.

[0020] Reference 8: Menezes, van Oorschot, Vanstone, Handbook of AppliedCryptography, CRC Press, 1996, pp. 347-349.

[0021] The security of hash functions has not yet been studiedadequately in contrast with study of the security of block ciphers.Therefore, a user may not be able to incorporate a hash function becausethe user cannot rely on the hash function. Of MAC generation systems,MMH uses only a pseudorandom number generator, and requires a very smallamount of additional resources such as circuits and programs to add analteration detection function to the cryptographic process. However, MMHrequires a pseudorandom number sequence whose length is as long as thatof the message, taking long time to generate necessary random numbers.MMH is described in the following reference.

[0022] Reference 9: Halevi, Krawczyk, “MMH: Software MessageAuthentication in the Gbit/Second Rates,” Fast Software Encryption,4^(th) International Workshop, FSE '97, Lecture Notes in ComputerScience, Vol. 1267, Springer-Verlag,

[0023]1997.

[0024] As described above, the prior art techniques are unsatisfactoryin terms of ensuring of security and high-speed processing, andtherefore it is required to develop a safer and faster cryptographicprocessing technique.

SUMMARY OF THE INVENTION

[0025] The present invention provides a safer and faster symmetric-keycryptographic processing technique.

[0026] The present invention provides a symmetric-key cryptographicmethod which is capable of performing alteration detection anddecryption at the same time, and whose safety for data confidentialityand data alteration protection is provable.

[0027] The present invention provides a symmetric-key cryptographicmethod which advantageously has preprocessing and parallel processingfunctions, and which is capable of processing at high speed,capitalizing on the high-speed processing characteristics of thepseudorandom number generator.

[0028] The present invention provides a symmetric-key cryptographicmethod whose processing speed is not only faster than that of theconventional block cipher, but can be made still faster as the amount ofresources employed is increased, and which can attain a high level ofparallel operation for high-speed processing.

[0029] The present invention provides a symmetric-key cryptographicmethod whose processing speed does not drop even when a very shortmessage is processed.

[0030] The present invention provides a symmetric-key cryptographicmethod which can be implemented by adding a very small circuit orprogram to stream cipher equipment.

[0031] The present invention provides a symmetric-key cryptographicmethod capable of processing each block using a pseudorandom numbersequence as a key stream, and detecting an alteration at the same time.

[0032] A symmetric-key cryptographic method according to a first aspectof the present invention generates ciphertext C, using plaintext P, akey stream S, redundancy data (hereinafter simply referred to as aredundancy) R, and an initial value V, where the length of the keystream S is longer than that of the ciphertext C.

[0033] Specifically, when the length of the redundancy R is b bits andthe length of the plaintext P is L=n*b+t bits (t is an integer equal toor larger than 0 and smaller than b, and n is an integer equal to orlarger than 0), this method adds ((b−t) mod b) number of “0” bits andthen the redundancy R to the end of the plaintext P to produce acharacter string having a length of L+((b−t) mod b)+b bits. This lengthis a multiple of the length b.

[0034] This character string is divided into blocks Pi(1≦i≦m) eachhaving b bits. The expression “X_(i) (1≦i≦n)” denotes a string ofvariables X_(i) having n elements from 1 to n. In the above case, thekey stream must have a length of 2*m*b bits.

[0035] This key stream is either shared secretly between the encryptionside apparatus and the decryption side apparatus beforehand, orgenerated from a secret key shared beforehand (this secret keycorresponds to an input to a pseudorandom number generator, forexample).

[0036] The key stream of the above length is divided into two blockseries, A_(i) and B_(i) (1≦i≦m, each block has b bits).

[0037] Letting the feedback initial value F₀=V, ciphertext blocks C_(i)are calculated by the following formula. (This initial value V is alsoshared but it is not necessary to keep it secret).

F _(i) =P _(i) ^ A _(i) , C _(i)=(F _(i) *B _(i))^ F _(i−1)(1≦i≦m)

[0038] The obtained cipher blocks C_(i) are concatenated to produce acharacter string, which is output as ciphertext C. Here, the operators“*” and “^ ” denote multiplication and addition, respectively, in thefinite field F2^(b).

[0039] The corresponding decryption is performed as follows.

[0040] If the length of ciphertext C′ is not a multiple of b bits, arejection indication is output. If it is a multiple of b bits, on theother hand, the ciphertext C′ is divided into blocks C′_(i)(1<i<m′) eachhaving b bits.

[0041] By setting key stream blocks A_(i) and B_(i) (1<i<m′), andletting the feedback value F′₀=V, the following processing is performed.

F′ _(i)=(C′ _(i) ^ F′ _(i−1))/B_(i) , P′ _(i) =A _(i) ^ F′ _(i)(1≦i≦m′).

[0042] The obtained results P′_(i) are concatenated to produce acharacter string, which is stored as decryption results P′. The operator“/” denotes division in the finite field F2^(b).

[0043] The redundancy R must be restored as the b-bit character stringP′_(m) if no alteration has been made. It is guaranteed that theprobability that an attacker who does not know the keys mightsuccessfully make an alteration to the ciphertext without changing theredundancy R, which is restored as the character string P′_(m), is atmost 1/2^(b). Based on the above fact, it is possible to detectalterations by checking whether the character string P′_(m) is identicalto the redundancy R when b is sufficiently large (32 or more).

[0044] The symmetric-key cryptographic method of the first aspect ischaracterized in that influence of an alteration made to a cipher blockis propagated to the last block when the ciphertext has been decrypted,whichever cipher block has been altered. Accordingly, even if anattacker makes an alteration without directly changing the redundancy R,it is possible to detect the alteration.

[0045] More specifically, after a feedback value for the next block isgenerated and stored, encryption operation on the current block isperformed using a feedback value generated as a result of encryptionoperation on the previous block. That is, when generated intermediatevalues are denoted by X_(t) (t=1 . . . n), that is, X₁, X₂, . . . X_(n),in the order of generation, and the feedback value F_(i) for the nextblock is indicated by the intermediate value X_(i), and furthermore, theintermediate value to which the feedback value F_(i−1) generated as aresult of operation on the previous block is applied is indicated byX_(j), the arguments i and j have the relationship i≦j (a necessarycondition).

[0046] According to the first aspect of the present invention, theprobability that an alteration made to ciphertext might pass thealteration detection check is 1/2^(b). However, the method requiresdivision operation in a finite field in decryption, and usesrandom-number data whose size is twice the size of the plaintext.

[0047] Description will be made of a symmetric-key cryptographic methodaccording to a second aspect of the present invention, which does notensure cryptographic security as high as that provided by thesymmetric-key cryptographic method of the first aspect, but can providemore efficient processing, instead.

[0048] The symmetric-key cryptographic method of the second aspectprocesses a message and a redundancy in the same way as they areprocessed in the symmetric-key cryptographic method of the first aspect.When plaintext with a redundancy has m blocks, a key stream having alength of b*(m+1) bits is required. This key stream is divided intoblocks A_(i) (1≦i≦m) and B (B≠0).

[0049] Letting the feedback initial value F₀=V, cipher blocks C_(i) areobtained by the following formula.

F _(i) =P _(i) ^ A _(i) , C _(i)=(F _(i) *B)^ F _(i−1)(1≦i≦m)

[0050] The obtained cipher blocks C_(i) are concatenated to produce acharacter string, which is output as ciphertext C.

[0051] The corresponding decryption is performed as follows.

[0052] If the length of ciphertext C′ is not a multiple of b bits, arejection indication is output. If it is a multiple of b bits, on theother hand, the ciphertext C′ is divided into blocks C′_(i)(1≦i≦m′) eachhaving b bits.

[0053] As in the encryption, by setting key stream blocks A_(i) (1≦i≦m′)and B, and letting the feedback value F′₀=V, the following processing isperformed.

F′ _(i)=(C′ _(i) ^ F′ _(i−1))/B, P′ _(i) =A _(i) ^ F′ _(i)(1≦i≦m′).

[0054] The redundancy portion is extracted from the obtained series ofblocks P′_(i), and checked whether it is identical to the predeterminedredundancy (the encrypted redundancy R). If the redundancy portion isidentical to the predetermined redundancy, the remaining blocks of theseries of blocks P′_(i) are output as a message; otherwise a rejectionindication is output.

[0055] The redundancy (the encrypted redundancy R) must be restored asthe b-bit character string P′_(m) if no alteration has been made.

[0056] The symmetric-key cryptographic method of the second aspect usesa plurality of key streams (each obtained from a different pseudorandomnumber sequence) during encryption/decryption of blocks (plaintext orciphertext blocks). Of the plurality of key streams, one is changed foreach iteration of the processing while the others are left unchanged,that is, the same key streams are used for all the iterations. Morespecifically, when two pseudorandom number sequences (key streams)supplied for encryption/decryption of the i-th block are denoted asA_(i) and B_(i), the key stream A_(i) is changed each time a block isprocessed, whereas B_(i) is not changed during processing of all theblocks.

[0057] According to the second aspect of the present invention, theprobability that an alteration made to ciphertext by an attacker whodoes not know the keys might not be detected in the subsequentalteration detection process is (m−1)/2^(b). Generally, the alterationsuccess rate is preferably 1/2³² or less. Since the data length m is setto about 2³² at maximum for actual implementation, b is preferably equalto 64 or more. In such a case, multiplication operation in the finitefield F2⁶⁴ is performed for both encryption and decryption. Thisoperation is implemented by means of hardware at very high speed and lowcost. In the case of software implementation, however, high-speedoperation may be provided using a symmetric-key cryptographic methodaccording to a third aspect of the present invention as described below.

[0058] The symmetric-key cryptographic method according to the thirdaspect of the present invention uses a longer redundancy. To begin with,the redundancy is set to have b*d bits, assuming that the subsequentprocessing is carried out in units of b bits. The message and theredundancy are processed in the same way as they are processed in thesymmetric-key cryptographic methods of the first and second aspects toproduce a series of blocks P_(i) (1≦i≦m,m≦d) composed of the message andthe redundancy, each block having b bits. The key stream is set to havea length of b*(m+d) bits, and is divided into two block series A_(i)(1≦i≦m) and B_(i) (≠0,1≦i≦d)

[0059] Letting the feedback initial value F^((i)) ₀=V_(i) (1≦i≦d),cipher blocks C_(i) are calculated by the following formula.

F ^((i)) _(i) =P _(i) ^ A _(i),

F ^((j+1)) _(i)=(F ^((j)) _(i) *B _(j))^ F^((j)) _(i−1)(1≦j≦d)

C _(i) =F ^((d+1)) _(i)(1≦i≦m)

[0060] The obtained cipher blocks C_(i) are concatenated to produce acharacter string, which is output as ciphertext C.

[0061] The corresponding decryption is performed as follows.

[0062] If the length of ciphertext C′ is not a multiple of b bits, arejection indication is output. If it is a multiple of b bits, on theother hand, the ciphertext C′ is divided into blocks C′_(i) (1≦i≦m′)each having b bits.

[0063] As in the encryption, by setting key stream blocks A_(i) (1≦i≦m′)and B_(i) (≠0,1≦i≦d), and letting the feedback initial value F^((i))₀=V_(i) (1≦i≦d), the following processing is performed.

F′ ^((d+1)) _(i) =C′ _(i),

F′ ^((j)) _(i)=(F′^((j+1)) _(i) ^ F′ ^((j)) _(i−1))/B _(j)(1≦j≦d),

P′ _(i) =A _(i) ^ F′ ⁽¹⁾ _(i)(1≦i≦m).

[0064] The redundancy portion is extracted from the obtained blocksP′_(i), and checked whether it is identical to the predeterminedredundancy (the encrypted redundancy). If the extracted redundancy isidentical to the predetermined redundancy, the remaining blocks of theblocks P′_(i) are output as a message; otherwise a rejection indicationis output.

[0065] In the symmetric-key cryptographic method of the third aspect,although a redundancy having a length of b*d bits is used, operationsnecessary for encryption and decryption are carried out in the finitefield F2^(b). Multiplication in the finite field F2^(b) requires acomputational amount (computational complexity) only 1/d² of thatrequired by multiplication in the finite field F2^(b+d). However, sincethe number of required multiplication operations increases by a factorof d, this high-speed processing method possibly takes time about 1/d ofthe time taken by the conventional method to complete the multiplicationoperations using a redundancy of the same length.

[0066] A symmetric-key cryptographic method according to a fourth aspectof the present invention incorporates the multiplication in the finitefield F2^(b) employed by the symmetric-key cryptographic methods of thefirst through third aspects into the 3-round Feistel structure.Specifically, the operation A*B is replaced by a function whichcalculates

M ₁ =A _(L)^ (A _(R)*B_(L)), M ₂ =A _(R)^ (M ₁ *B _(R)), M ₃ =M ₁^ (M ₂*B _(L))

[0067] and outputs M₃∥M₂ (B_(L) and B_(R) can be switched around, asA_(L) and A_(R), or M₂ and M₃). These operations are self-invertible,and therefore the same operations can be used for the correspondingdecryption.

[0068] A fifth aspect of the present invention relates to a method ofdividing a message for processing. Specifically, plaintext P is dividedinto a predetermined number t of character strings P_(i) (1≦i≦t). Thepredetermined number t is decided according to a rule on which both thetransmitter and the receiver have agreed. Each character string iscombined with a different redundancy R_(i) (1≦i≦t) and then encrypted toproduce ciphertext C_(i) using a symmetric-key cryptographic methodaccording to one of the above aspects of the present invention.Separately from the above process, all redundancies R_(i) areconcatenated to produce plaintext (R₁∥R₂∥R₃∥ . . . ∥R_(t)), which isthen encrypted using a redundancy R shared between the transmitter andthe receiver to obtain ciphertext C_(t+1). The above pieces ofciphertext (a series of ciphertext blocks) are concatenated (that is,C₁∥C₂∥C₃∥ . . . ∥C_(t+1)) to produce the final ciphertext C.

[0069] In the corresponding decryption, the ciphertext is divided into tnumber of character strings according to a predetermined rule, and thecharacter strings are each decrypted separately. If each decryptionresult is not a reject, and all the redundancies R_(i) are included inthe redundancy plaintext (encrypted using the redundancy R in theencryption process, and now obtained as a result of decryption), thedecryption results are accepted, and each piece of plaintext obtained asa result of decryption is concatenated in the order of the correspondingredundancy. If any one of the decryption results is a reject, the entiredecryption results are rejected.

[0070] According to a sixth aspect of the present invention,multiplication in the finite field F2^(b) in the above five aspects ofthe present invention is replaced with multiplication in the finitefield Fp, where p is a prime number which can be expressed as “2^(k) +1”using an integer k.

[0071] Specifically, the operation a*(b+1)+1 in the finite field Fp isperformed instead of the multiplication a*b in the finite field F2^(b).This operation can be accomplished by a combination of onemultiplication operation, two addition operations, and one shiftoperation of a 2^(b)-bit shift register, making it possible to performmultiplication operations in the finite field F2^(b) using ageneral-purpose processor at high speed.

[0072] The above operation a*(b+1)+1 in the finite field Fp can providehigh-speed processing, compared with multiplication in F2^(b), whichrequires b number of exclusive OR operations and b number of shiftoperations, and compared with multiplication in Fp using a general primenumber p, which requires one multiplication operation and one divisionoperation (a division operation requires time a few tens of times longerthan that required by an addition operation or a shift operation).

[0073] Since the present invention uses pseudorandom numbers, a user canemploy a cryptographic primitive which the user believes is mostreliable by selecting one from among block ciphers, hash functions, andstream ciphers as the pseudorandom number generator, which means thatthe security of the system can be easily attributed to the cryptographicprimitive which the user has selected. Furthermore, the pseudorandomnumber generation can be carried out separately from the plaintext andthe ciphertext processing, making it possible to employ parallelprocessing and preprocessing, resulting in processing at high speed.

[0074] As for implementation cost, the present invention can avoidadditional implementation which is difficult to make, such as theadditional implementation of a hash function.

[0075] These and other benefits are described throughout the presentspecification. A further understanding of the nature and advantages ofthe invention may be realized by reference to the remaining portions ofthe specification and the attached drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0076]FIG. 1 is a system configuration employed in embodiments of thepresent invention;

[0077]FIG. 2 is a flowchart of a plaintext preparation subroutine;

[0078]FIG. 3 is a flowchart of a random number generation subroutine;

[0079]FIG. 4 is a flowchart of an encryption subroutine;

[0080]FIG. 5 is a flowchart of the decryption program shown in FIG. 1.

[0081]FIG. 6 is a flowchart of the ciphertext preparation subroutineshown in FIG. 5;

[0082]FIG. 7 is a flowchart of the decryption subroutine shown in FIG.5;

[0083]FIG. 8 is a flowchart of the plaintext extraction subroutine shownin FIG. 5;

[0084]FIG. 9 is a flowchart of the redundancy extraction subroutineshown in FIG. 5;

[0085]FIG. 10 is a diagram showing data blocks in encryption;

[0086]FIG. 11 is a diagram showing data blocks in the decryption shownin FIG. 7;

[0087]FIG. 12 is a flowchart of the random number generation 2subroutine according to a second embodiment of the present invention;

[0088]FIG. 13 is a flowchart of the encryption 2 subroutine of thesecond embodiment;

[0089]FIG. 14 is a flowchart of the decryption program of the secondembodiment;

[0090]FIG. 15 is a flowchart of the decryption 2 subroutine of thesecond embodiment;

[0091]FIG. 16 is a diagram showing data blocks in the encryptionaccording to the second embodiment;

[0092]FIG. 17 is a diagram showing data blocks in the decryptionaccording to the second embodiment;

[0093]FIG. 18 is a flowchart of the encryption program according to athird embodiment of the present invention;

[0094]FIG. 19 is a flowchart of the random number generation 3subroutine of the third embodiment;

[0095]FIG. 20 is a flowchart of the encryption 3 subroutine of the thirdembodiment;

[0096]FIG. 21 is a flowchart of the decryption program of the thirdembodiment;

[0097]FIG. 22 is a flowchart of the decryption 3 subroutine of the thirdembodiment;

[0098]FIG. 23 is a diagram showing data blocks in the encryptionaccording to the third embodiment;

[0099]FIG. 24 is a diagram showing data blocks in the decryptionaccording to the third embodiment;

[0100]FIG. 25 is a flowchart of the parallel encryption programaccording to a fifth embodiment of the present invention;

[0101]FIG. 26 is a flowchart of the parallel decryption program of thefifth embodiment;

[0102]FIG. 27 is a diagram showing data blocks in the encryptionaccording to the fifth embodiment;

[0103]FIG. 28 is a diagram showing data blocks in the decryptionaccording to the fifth embodiment;

[0104]FIG. 29 is a flowchart of the random number generation 4subroutine according to a fourth embodiment of the present invention;

[0105]FIG. 30 is a flowchart of the plaintext preparation 2 subroutineof the fourth embodiment;

[0106]FIG. 31 is an explanatory diagram showing a padding operation on amessage according to the fourth embodiment;

[0107]FIG. 32 is a flowchart of the decryption program of the fourthembodiment;

[0108]FIG. 33 is a flowchart of the plaintext extraction 2 subroutineshown in FIG. 32;

[0109]FIG. 34 is an explanatory diagram showing an extraction operationon decrypted text according to the fourth embodiment;

[0110]FIG. 35 is a diagram showing the configuration of a system forcryptocommunications according to a sixth embodiment of the presentinvention;

[0111]FIG. 36 is a diagram showing the configuration of an encryptionapparatus employed in a cryptocommunication system according to aseventh embodiment of the present invention;

[0112]FIG. 37 is a diagram showing the configuration of a contentsdelivery system according to an eighth embodiment of the presentinvention;

[0113]FIG. 38 is a diagram showing the configuration of a systemaccording to a ninth embodiment of the present invention; and

[0114]FIG. 39 is a diagram showing the configuration of anencryption/decryption router according to a tenth embodiment of thepresent invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0115] (First Embodiment)

[0116]FIG. 1 shows the configuration of a computer system including acomputer A10002 and a computer B10003 connected to each other through anetwork 10001 for cryptocommunications from the computer A10002 to thecomputer 10003. The computer A10002 has an operation unit (hereinafterreferred to as “CPU”) 10004, a memory unit (volatile or nonvolatile,hereinafter referred to as “RAM”) 10005, and a network interface 10006therein, and a display 10007 and a keyboard 10008 externally connectedthereto for the user to operate the computer A10002. The RAM 10005stores an encryption program PROG1_10009, a random number generationprogram PROG2_10010, a secret key K10011, which is secret informationshared only between the computers A10002 and B10003, a redundancy R10012and an initial value V10013, which both are data shared between thecomputers A10002 and B10003, and encryption-target data 10014 to betransmitted to the computer B1003. The computer B10003 has a CPU 10015,a RAM 10016, and a network interface 10017 therein, and a display 10018and a keyboard 10019 externally connected thereto for the user tooperate the computer B10003. The RAM 10016 stores a decryption programPROG3_10020, a random number generation program PROG2_10021, the secretkey K10011, the redundancy R10012, and the initial value V10013.

[0117] The computer A10002 executes the encryption program PROG1_10009to generate ciphertext C10022 from a message M10014, and transmits thegenerated ciphertext C10022 to the network 10001 through the networkinterface 10006. Receiving the ciphertext C10022 through the networkinterface 10017, the computer B10003 executes the decryption programPROG3_10020, and if no alteration is detected, the computer B10003stores the decryption results in the RAM 10016.

[0118] Each program employed can be introduced into each RAM byreceiving the program from another computer in the form of atransmission signal, which is a transmission medium on the network10001, or by using a portable medium such as a CD or an FD. Each programcan be configured so that it runs under control of the operating system(not shown) of each computer.

[0119] The encryption program PROG1_10009 is read out from the RAM10005, and executed by the CPU 10004 in the computer A10002. Theencryption program PROG1_10009 internally calls a random numbergeneration program PROG2_10010 as a subroutine to process the inputsecret key K10011, the redundancy R10012, the initial value V10013, andthe message M10014 so as to output ciphertext C10022.

[0120] The decryption program PROG3_10020 is read out from the RAM10016, and executed by the CPU 10015 in the computer B10003. Thedecryption program PROG3_10020 internally calls a random numbergeneration program PROG2_10021 as a subroutine to process the input key10011, the redundancy R10012, the initial value V10013, and theciphertext C10022 so as to output a message or an alteration detectionalarm.

[0121] Description will be made of the process flow of the encryptionprogram PROG1_10009.

[0122] Step 20002 (a data setting subroutine): waits for input of aninitial value V, a redundancy R, and a secret key K.

[0123] Step 20003 (a plaintext preparation subroutine): waits for inputof plaintext, adds predetermined padding and a redundancy to the givenplaintext, and divides the padded plaintext into a series of plaintextblocks P_(i) (1≦i≦n) each having 64 bits and outputs them.

[0124] Step 20004 (a random number generation subroutine): outputspseudorandom number sequences A_(i) and B_(i) (1≦i≦n) based on thesecret key K.

[0125] Step 20005 (an encryption subroutine): uses the pseudorandomnumber sequences A_(i) and B_(i), the series of plaintext blocks P_(i)(1≦i≦n), and the initial value V to output a series of ciphertext blocksC_(i) (1≦i≦n).

[0126] Step 20006: concatenates the series of ciphertext blocks C_(i)(1≦i≦n) obtained at step 20005 one after another sequentially to outputciphertext C.

[0127] In this specification, the term “padding” used above refers toaddition of additional data to main data. In the case of padding ofdigital data, the additional data is often concatenated to the maindata, simply bits to bits.

[0128] Description will be made of the process flow of the plaintextpreparation subroutine with reference to FIG. 2.

[0129] Step 20202: waits for input of an encryption-target message M.The message M is either input from the keyboard 10008 or read out from aRAM, or introduced from another medium.

[0130] Step 20203: adds padding indicating the length of the message.Specifically, this step adds 64-bit binary data indicating the length ofthe message M to the head of the message M.

[0131] Step 20204: adds padding to the message so that the length of themessage is a multiple of a predetermined number. Specifically, thepadded data is set to have an integer multiple of 64 bits for subsequentprocessing. When the length of the message M to which the dataindicating the length is added at step 20203 is L bits, this step adds(64-L(mod 64)) number of 0s to the end of the message M.

[0132] Step 20205 (addition of redundancy data): further adds aredundancy R of 64 bits to the end of the message.

[0133] Step 20206 (division of message data into plaintext blocks):divides the data obtained at step 20205 into blocks P₁, P₂, . . . P_(n),each having 64 bits.

[0134] Description will be made of the process flow of the random numbergeneration subroutine with reference to FIG. 3.

[0135] Step 20302 (input of necessary parameters): obtains the number nof blocks making up the padded message, and the secret key K.

[0136] Step 20303 (generation of a pseudorandom number sequence A):calls the random number generation program PROG2 to generate apseudorandom number sequence having 64*n bits and output it as apseudorandom number sequence A.

[0137] Step 20304 (division of random number sequence A into blocks):divides the pseudorandom number sequence A into blocks A₁, A₂, . . . ,A_(n), each having 64 bits.

[0138] Step 20305 (initialization of a counter i): initializes a counterso that i=1.

[0139] Step 20306 (generation of a random number B_(i)): executes PROG2using the secret key K to generate a random number B_(i) having 64 bits.

[0140] Step 20307: if the random number B_(i) generated at step 20306 is0, returns to step 20306.

[0141] Step 20308: if i=n, performs step 20310.

[0142] Step 20309: increments the counter i and returns to step 20306.

[0143] Description will be made of the process flow of the encryptionsubroutine with reference to FIG. 4.

[0144] Step 20402: sets an initial value F₀ so that F₀=V.

[0145] Step 20403: sets a counter so that i=1.

[0146] Step 20404: calculates a feedback value F_(i) by the formulaF_(i)=P_(i)^ A_(i).

[0147] Step 20405: calculates a ciphertext block C_(i) by the formulaC_(i)=(F_(i)*B_(i))^ F_(i−1).

[0148] Step 20406: if i=n, performs step 20408.

[0149] Step 20407: increments the counter i and returns to step 20404.

[0150] Description will be made of the process flow of the decryptionprogram PROG3_10020 with reference to FIG. 5.

[0151] Step 20502 (a data setting subroutine): waits for input of theinitial value V, the redundancy R, and the secret key K.

[0152] Step 20503 (a ciphertext preparation subroutine): waits for inputof ciphertext C′, and divides the given ciphertext C′ into a series ofciphertext blocks C′_(i) (1≦i≦n) each having 64 bits and outputs them.

[0153] Step 20504 (a random number generation subroutine): outputspseudorandom number sequences A_(i) and B_(i) (1≦i≦n) based on thesecret key K.

[0154] Step 20505 (a decryption subroutine): uses the pseudorandomnumber sequences A_(i) and B_(i), the series of ciphertext blocks C′_(i)(1≦i≦n), and the initial value V to output a series of plaintext blocksP′_(i) (1≦i≦n).

[0155] Step 20506 (a plaintext extraction subroutine): combines theseries of plaintext blocks P′_(i) into three data strings L′, M′, andZ′.

[0156] Step 20507 (a redundancy extraction subroutine): divides Z′ intoR′ and T′.

[0157] Step 20508: if T=0 and R′=R, proceeds to step 20510.

[0158] Step 20509: outputs a rejection indication and proceeds to step25011.

[0159] Step 20510: stores M′ into a RAM.

[0160] At step 20509 or 20510, the decryption program outputs a result(acceptance/rejection or the encryption result) to the display 10018 asa notification to the user.

[0161] Description will be made of the process flow of the ciphertextpreparation subroutine with reference to FIG. 6.

[0162] Step 20602: waits for input of ciphertext C′.

[0163] Step 20603: divides the ciphertext C′ into blocks C′₁, C′₂, . . .C′_(n), each having 64 bits.

[0164] Description will be made of the process flow of the decryptionsubroutine with reference to FIG. 7.

[0165] Step 20702: sets an initial value F′₀ so that F′₀=V.

[0166] Step 20703: initializes a counter so that i=1.

[0167] Step 20704: calculates a feedback value F′_(i) by the formulaF′_(i)=(C′_(i)^ F′_(i−1))/B_(i).

[0168] Step 20705: calculates a plaintext block P′_(i) by the formulaP′_(i)=F′_(i)^ A_(i).

[0169] Step 20706: if i=n, performs step 20708.

[0170] Step 20707: increments the counter i and returns to step 20704.

[0171] Description will be made of the process flow of the plaintextextraction subroutine with reference to FIG. 8.

[0172] Step 20802: sets L′ to the first 64-bit plaintext block.

[0173] Step 20803: sets M′ to the L′ number of bits starting from themost significant bit of P′₂ included in the series of decryptedplaintext blocks.

[0174] Step 20804: after L′ and M′ are removed from the series ofdecrypted plaintext blocks, sets Z′ to the remaining decrypted plaintextblocks (data).

[0175] Description will be made of the process flow of the redundancyextraction subroutine with reference to FIG. 9.

[0176] Step 20902: sets R′ to the lower 64 bits of Z′.

[0177] Step 20903: after R′ is removed from Z′, sets T′ to the remainingdata.

[0178]FIG. 10 is an explanatory diagram showing the encryption process.The encircled plus “(+)” denotes an exclusive OR logic operation betweentwo pieces of data each having a width of 64 bits, while the encircled Xmark “(X)” denotes a multiplication operation between two pieces of dataeach having a width of 64 bits in the finite field F2⁶⁴.

[0179] The message M20931 is added with data 20930 indicating thelength, appropriate padding 20932, and a redundancy R20933 to produceplaintext P20934.

[0180] The produced plaintext P20934 is divided into blocks P₁ ₁₃ 20935,P₂ _(—) 20936, P₃ _(—) 20937, . . . P_(n) _(—) 20938, each having 64bits.

[0181] P₁ _(—) 20935 and A₁ _(—) 20940 are exclusive-ORed to produce afeedback value F₁ _(—) 20941 which is then multiplied by B₁ _(—) 20942in a finite field. The result is exclusive-ORed with an initial value F₀_(—) 20939 to obtain a ciphertext block C₁ _(—) 20943.

[0182] Similarly, P₂ _(—) 20936 and A₂ _(—) 20946 are exclusive-ORed toproduce a feedback value F₂ _(—) 20945 which is then multiplied by B₂_(—) 20946 in a finite field. The result is exclusive-ORed with thefeedback value F₁ _(—) 20941 to obtain a ciphertext block C₂ _(—) 20947.

[0183] The above procedure is repeated up to P_(n) _(—) 20938, obtainingciphertext blocks C₁ _(—) 20943, C₂ _(—) 20947, C₃ _(—) 20951, . . . ,C_(n) _(—) 20955. The ciphertext blocks are concatenated one afteranother in that order to obtain ciphertext C_20956.

[0184]FIG. 11 is an explanatory diagram showing the decryption process.The encircled slash “(/)” denotes a division operation between twopieces of data each having a width of 64 bits in the finite field F2⁶⁴.In the figure, data introduced to the encircled slash symbol from top isthe dividend, while data introduced from left is the divisor.

[0185] Ciphertext C′_20960 is divided into blocks C′_(1—) 20962, C′₂_(—) 20963, C′₃ _(—) 20964, . . . , C′_(n) _(—) 20965, each having 64bits.

[0186] C′₁ and an initial value F′₀ _(—) 20961 are exclusive-ORed, andthe result is divided by B₁ _(—) 20966. The division result is set as afeedback value F′₁ _(—) 20967. The feedback value F′₁ _(—) 20967 and A₁_(—) 20968 are exclusive-ORed to obtain a plaintext block P′₁ _(—)20969.

[0187] The other blocks C′₂ _(—) 20963, C′₃ _(—) 20964, . . . , C′n _(—)20965 are also processed in the same way as C′₁ _(—) 20962 to obtainplaintext blocks P′₁ _(—) 20969, P′₂ _(—) 20972, P′₃ _(—) 20977, . . . ,P′n _(—) 20981, which are then concatenated one after another to produceplaintext P′_20982. The plaintext P′_20982 is divided into L′_20983,M′_20984, and Z′_20985. Furthermore, Z′_20985 is divided into T′_20988and R′_20989 so as to check the redundancy R′_20989.

[0188] The first embodiment uses a pseudorandom number sequence whoselength is about twice as long as that of the message for cryptographicprocesses. Even though pseudorandom-number processing is faster thanblock-cipher processing, it is highest in computational complexity inthese cryptographic processes. Therefore, it is desirable to reduce thenumber of random numbers to use.

[0189] (Second Embodiment)

[0190] As describe below, a second embodiment of the present inventionemploys a function different from that used by the first embodiment. Byemploying this function, the second embodiment can reduce the number ofrandom numbers necessary to use, and use the same divisor for eachiteration in its decryption process, which makes it possible to performthe division operation at substantially the same speed as that of amultiplication operation if the reciprocal is calculated beforehand,resulting in very efficient processing.

[0191] The second embodiment employs an encryption program PROG1A and adecryption program PROG3A instead of the encryption program PROG1 andthe decryption PROG3, respectively.

[0192] The encryption program PROG1A replaces the random numbergeneration subroutine 20004 and the encryption subroutine 20005 employedin the encryption program PROG1_10009 in FIG. 1 by a random numbergeneration 2 subroutine 21004 and an encryption 2 subroutine 21005,respectively.

[0193] Description will be made of the process flow of the random numbergeneration 2 subroutine 21004 with reference to FIG. 12.

[0194] Step 21102 (input of necessary parameters): obtains the number nof message blocks making up a padded message, and a secret key K.

[0195] Step 21103 (generation of pseudorandom number sequence A): callsthe random number generation program PROG2 to generate a pseudorandomnumber sequence having 64*n bits and output it as a pseudorandom numbersequence A.

[0196] Step 21104 (division of pseudorandom number sequence A intoblocks): divides the pseudorandom number sequence A into blocks A₁, A₂,. . . , An, each having 64 bits.

[0197] Step 21105 (generation of random number B): executes PROG2 usingthe secret key K to generate a random number B having 64 bits.

[0198] Step 21106: if the value of B generated at step 21105 is 0,returns to step 21105.

[0199] Description will be made of the process flow of the encryption 2subroutine 21005 with reference to FIG. 13.

[0200] Step 21202: sets an initial value F₀ so that F₀=V.

[0201] Step 21203: sets a counter so that i=1.

[0202] Step 21204: calculates a feedback value F_(i) by the formulaF_(i)=P_(i)^ A_(i).

[0203] Step 21205: calculates a ciphertext block C_(i) by the formulaC_(i)=(F_(i)*B)^ F_(i−1).

[0204] Step 21206: if i=n, performs step 21208.

[0205] Step 21207: increments the counter i and returns to step 21204.

[0206] Description will be made of the process flow of the decryptionprogram PROG3A corresponding to PROG1A with reference to FIG. 14.

[0207] The decryption program PROG3A replaces the random numbergeneration subroutine 20504 and the decryption subroutine 20505 employedin the decryption program PROG3_10020 by a random number generation 2subroutine 21304 and a decryption 2 subroutine 21305, respectively.

[0208] Step 21302 (a data setting subroutine): waits for input of theinitial value V, the redundancy R, and the secret key K.

[0209] Step 21303 (a ciphertext preparation subroutine): waits for inputof ciphertext C′, and divides the given ciphertext C′ into a series ofciphertext blocks C′_(i) (1≦i≦n) each having 64 bits and outputs them.

[0210] Step 21304 (a random number generation subroutine): outputspseudorandom number sequences A_(i) (1≦i≦n) and B in response to thesecret key K.

[0211] Step 21305 (a decryption subroutine): uses the pseudorandomnumber sequences A_(i) and B, the series of ciphertext blocks C′_(i)(1≦i≦n), and the initial value V to output a series of plaintext blocksP′_(i) (1≦i≦n).

[0212] Step 21306 (a plaintext extraction subroutine): combines theseries of plaintext blocks P′_(i) into three data strings L′, M′, andZ′.

[0213] Step 21307 (a redundancy extraction subroutine): divides Z′ intoR′ and T′.

[0214] Step 21308: if T=0 and R′=R, proceeds to step 21310.

[0215] Step 21309: outputs a rejection indication and proceeds to step21311.

[0216] Step 21310: stores M′ into a RAM.

[0217] Description will be made of the process flow of the decryption 2subroutine 21305 in FIG. 14 with reference to FIG. 15.

[0218] Step 21402: sets an initial value F′₀ so that F′₀=V.

[0219] Step 21403: calculates 1/B beforehand.

[0220] Step 21404: initializes a counter so that i=1.

[0221] Step 21405: calculates a feedback value F′_(i) by the formulaF′_(i)=(C′_(i)^ F′_(i−1))*(1/B).

[0222] Step 21406: calculates a plaintext block P′_(i) by the formulaP′_(i)=F′_(i)^ A_(i).

[0223] Step 21407: if i=n, performs step 21409.

[0224] Step 21408: increments the counter i and returns to step 21405.

[0225]FIG. 16 is an explanatory diagram showing the encryption processemployed by the above method of increasing the processing speed.

[0226] The message M21421 is added with data 21420 indicating thelength, appropriate padding 21422, and a redundancy R21423 to produceplaintext P21424.

[0227] The produced plaintext is divided into blocks P₁ _(—) 21425, P₂_(—) 21426, P₃ _(—) 21427, . . . , P_(n) _(—) 21428, each having 64bits.

[0228] P₁ _(—) 21425 and A₁ _(—) 21431 are exclusive-ORed to produce afeedback value F₁ _(—) 21432 which is then multiplied by B_21429 in afinite field. The result is exclusive-ORed with an initial value F₀ _(—)21430 to obtain a ciphertext block C₁ _(—) 21433.

[0229] Similarly, P₂ _(—) 21426 and A₂ _(—) 21434 are exclusive-ORed toproduce a feedback value F₂ _(—) 21435 which is then multiplied byB_21429 in a finite field. The result is exclusive-ORed with thefeedback value F₁ _(—) 21432 to obtain a ciphertext block C₂ _(—) 21436.

[0230] The above procedure is repeated up to P_(n) _(—) 21428, obtainingciphertext blocks C₁ _(—) 21433, C₂ _(—) 21436, C₃ _(—) 21439, . . . ,C_(n) _(—) 21442. The ciphertext blocks are concatenated one afteranother in that order to obtain ciphertext C_21443.

[0231]FIG. 17 is an explanatory diagram showing the correspondingdecryption process.

[0232] Ciphertext C′_21450 is divided into blocks C′₁ _(—) 21453, C′₂_(—) 21454, C′₃ _(—) 21455, . . . , C′_(n) _(—) 21456, each having 64bits.

[0233] C′₁ and an initial value F′₀ _(—) 21451 are exclusive-ORed, andthe result is multiplied by 1/B_21452. The multiplication result is setas a feedback value F′₁ _(—) 21457. The feedback value F′₁ _(—) 21457and A₁ _(—) 21458 are exclusive-ORed to obtain a plaintext block P′₁_(—) 21459.

[0234] The other blocks C′₂ _(—) 21454, C′₃ _(—) 21455, . . . , C′_(n)_(—) 21456 are also processed in the same way as C′₁ _(—) 21453 toobtain plaintext blocks P′1 _(—) 21459, P′₂ _(—) 21462, P′₃ _(—) 21465,. . . P′_(n) _(—) 21468, which are then concatenated one after anotherto produce plaintext P′_21476. The plaintext P′_21476 is divided intoL′_21469, M′_21470, and Z′_21471. Furthermore, Z′_21471 is divided intoT′_21474 and R′_21475 so as to check the redundancy R′_21475.

[0235] The second embodiment uses a 64-bit redundancy, and thereforeemploys addition and multiplication in the finite field F2⁶⁴.

[0236] With enhanced efficiency provided by this embodiment, it ispossible to realize high-speed cryptographic processing. Animplementation example written in the C programming language achieved aprocessing speed of 202 Mbit/sec in encryption processing using a 64-bitprocessor with a clock frequency of 600 MHz. On the other hand, aprocessing speed of 207 Mbit/sec was observed in decryption processing.

[0237] The above implementation uses such operations as pseudorandomnumber generation, exclusive OR, and multiplication in the finite fieldF2⁶⁴, which are efficiently implemented especially by hardware. Forexample, it is estimated that with a gate array fabricated in a 0.35-μmprocess, the above operations can be implemented by adding an additionalcircuit having 3 k gates for the pseudorandom number generator.Furthermore, the pseudorandom number generator can be implemented usingparallel processing, making it easy to realize a parallel processingdevice (including the pseudorandom number generator) having a processingspeed as high as required. Thus, it is possible to realize a processingspeed of 9.6 Gbit/sec at maximum by adding a circuit having about 36 kgates to a parallel pseudorandom number generator.

[0238] (Third Embodiment)

[0239] As described below, a third embodiment of the present inventionuses another high-speed processing function to provide processing athigher speed with the same security level as those of the first and thesecond embodiments. In another aspect, the third embodiment can providehigher security equivalent to F2¹²⁸ if operations in the finite fieldF2⁶⁴ employed in the first and second embodiments are also used.

[0240] In the aspect of providing processing at higher speed describedabove, the third embodiment uses an operation in the finite field F2³²twice. Since multiplication in the field F2⁶⁴ generally requires acomputational amount (computational complexity) four times as much asthat for the finite field F2³², the third embodiment requires only half((¼)*2) of the computational amount (computational complexity) requiredby an operation in the finite field F2⁶⁴, actually doubling theprocessing speed.

[0241] In the aspect of enhancing security, the third embodiment can useboth an operation in the finite field F2⁶⁴ and a 64-bit feedback valuetwice to reduce the alteration success rate from 2⁻⁶⁴ of the abovemethod to 2⁻¹²⁸.

[0242] The third embodiment employs an encryption program PROG1B and adecryption program PROG3B instead of the encryption program PROG1 andthe decryption program PROG3.

[0243] The encryption program PROG1B replaces the random numbergeneration subroutine (step 20004) and the encryption subroutine (step20005) employed in the encryption program PROG1_10009 in FIG. 1 by arandom number generation 3 subroutine 21504 and an encryption 3subroutine 21505. Description will be made of the process flow of theencryption program PROG1B with reference to FIG. 18.

[0244] Step 21502 (a data setting subroutine): waits for input of aninitial value V, a redundancy R, and a secret key K.

[0245] Step 21503 (a plaintext preparation subroutine): waits for inputof plaintext, adds predetermined padding and a redundancy to the givenplaintext, and divides the padded plaintext into a series of plaintextblocks Pi (1≦i≦n) each having 32 bits and outputs them.

[0246] Step 21504 (random number generation 3 subroutine): outputspseudorandom number sequences A_(i) (1≦i≦n), Ba, and Bb based on thesecret key K.

[0247] Step 21505 (encryption 3 subroutine): uses the pseudorandomnumber sequences A_(i), Ba, and Bb, the series of plaintext blocks P_(i)(1≦i≦n), and the initial value V to output a series of ciphertext blocksC_(i) (1≦i≦n).

[0248] Step 21506: concatenates the series of ciphertext blocks C_(i)(1≦i≦n) obtained at step 21505 one after another sequentially to outputciphertext C.

[0249] Description will be made of the process flow of the random numbergeneration 3 subroutine 21504 with reference to FIG. 19.

[0250] Step 21602 (input of necessary parameters): obtains the number nof message blocks making up the padded message and the secret key K.

[0251] Step 21603 (generation of pseudorandom number sequence A): callsthe random number generation program PROG2 to generate a pseudorandomnumber sequence having 32*n bits and output it as a pseudorandom numbersequence A.

[0252] Step 21604 (division of random number sequence A into blocks):divides the pseudorandom number sequence A into blocks A₁, A₂, . . . ,A_(n), each having 32 bits.

[0253] Step 21605 (generation of random number Ba): executes PROG2 usingthe secret key K to generate a random number Ba having 32 bits.

[0254] Step 21606: if the value of the random number Ba generated atstep 21605 is 0, returns to step 21605.

[0255] Step 21607 (generation of random number Bb): executes PROG2 usingthe secret key K to generate a random number Bb having 32 bits.

[0256] Step 21608: if the value of the random number Bb generated atstep 21607 is 0, returns to step 21607.

[0257] Description will be made of the process flow of the encryption 3subroutine 21505 with reference to FIG. 20. The symbols “*” and “^ ”denote multiplication and addition, respectively, in the finite fieldF2³².

[0258] Step 21702: sets initial values FA₀ and FB₀ so that FA₀=FB₀=V.

[0259] Step 21703: initializes a counter so that i=1.

[0260] Step 21704: calculates a feedback value FA_(i) by the formulaFA_(i)=P_(i)^ A_(i).

[0261] Step 21705: calculates a feedback value FB_(i) by the formulaFB_(i)=(FA_(i)*Ba)^ FA_(i−1).

[0262] Step 21706: calculates a ciphertext block C_(i) by the formulaC_(i)=(FB_(i)*Bb)^ FB_(i−1).

[0263] Step 21707: if i=n, performs step 21709.

[0264] Step 21708: increments the counter i and returns to step 21704.

[0265] Description will be made of the process flow of the decryptionprogram PROG3B with reference to FIG. 21. The decryption program PROG3Breplaces the random number generation subroutine 20504 and thedecryption subroutine 20505 employed in the decryption programPROG3_10020 by a random number generation 3 subroutine 21804 and adecryption 3 subroutine 21805, respectively.

[0266] Step 21802 (a data setting subroutine): waits for input of theinitial value V, the redundancy R, and the secret key K.

[0267] Step 21803 (a ciphertext preparation subroutine): waits for inputof ciphertext C′, and divides the given ciphertext C′ into a series ofciphertext blocks C′_(i) (1≦i≦n) each having 32 bits and outputs them.

[0268] Step 21804 (a random number generation subroutine): outputspseudorandom number sequences A_(i) (1≦i≦n), Ba, and Bb based on thesecret key K.

[0269] Step 21805 (a decryption subroutine): uses the pseudorandomnumber sequences A_(i), Ba, Bb, the series of ciphertext blocks C′_(i)(1≦i≦n), and the initial value V to output a series of plaintext blocksP′_(i) (1≦i≦n)

[0270] Step 21806 (a plaintext extraction subroutine): combines theseries of plaintext blocks P′_(i) into three data strings L′, M′, Z′.

[0271] Step 21807 (a redundancy extraction subroutine): divides Z′ intoR′ and T′.

[0272] Step 21808: if T=0 and R=R′, proceeds to step 21810.

[0273] Step 21809: outputs a rejection indication and proceeds to step21811.

[0274] Step 21810: stores M′ into a RAM.

[0275] Description will be made of the process flow of the decryption 3subroutine 21805 in FIG. 21 with reference to FIG. 22. The symbol “/”denotes division in the finite field F2³².

[0276] Step 21902: sets initial values FA′₀ and FB′₀ so thatFA′₀=FB′₀=V.

[0277] Step 21903: calculates 1/Ba and 1/Bb beforehand.

[0278] Step 21904: initializes a counter so that i=1.

[0279] Step 21905: calculates a feedback value FB′_(i) by the formulaFB′_(i)=(C′_(i)^ FB′_(i−1))*(1/Bb)

[0280] Step 21906: calculates a feedback value FA′_(i) by the formulaFA′_(i)=(FB′_(i)^ FA′_(i−1))*(1/Ba).

[0281] Step 21907: calculates a plaintext block P′_(i) by the formulaP′_(i)=FA′_(i)^ A_(i).

[0282] Step 21908: if i=n, performs step 21910.

[0283] Step 21909: increments the counter i and returns to step 21905.

[0284]FIG. 23 is an explanatory diagram showing the encryption processemployed by the above method of increasing the processing speed.

[0285] The message M21921 is added with data L21920 indicating thelength, appropriate padding 21922, and a redundancy R21923 to produceplaintext P21924.

[0286] The produced plaintext P21924 is divided into blocks P₁ _(—)21925, P₂ _(—) 21926, P₃ _(—) 21927, . . . , P_(n) _(—) 21928, eachhaving 32 bits.

[0287] P₁ _(—) 21925 and A₁ _(—) 21933 are exclusive-ORed to produce afeedback value FA₁ _(—) 21934 which is then multiplied by Ba_21929 in afinite field. The result is exclusive-ORed with an initial value FA₀_(—) 21930 to obtain a feedback value FB₁ _(—) 21935. The obtainedfeedback value FB₁ _(—) 21935 is multiplied by Bb_21931 in a finitefield, and the multiplication result is exclusive-ORed with an initialvalue FB₀ _(—) 21932 to obtain a ciphertext block C₁ _(—) 21936.

[0288] Similarly, P₂ _(—) 21926 and A₂ _(—) 21937 are exclusive-ORed toproduce a feedback value FA₂ _(—) 21938 which is then multiplied byBa_21929 in a finite field. The result is exclusive-ORed with thefeedback value FA₁ _(—) 21934 to obtain an feedback value FB₂ _(—)21939. The obtained FB₂ _(—) 21939 is multiplied by Bb_21931 in a finitefield, and the multiplication result is exclusive-ORed with the feedbackvalue FB₁ _(—) 21935 to obtain a ciphertext block C₂ _(—) 21940.

[0289] The above procedure is repeated up to P_(n) _(—) 21928, obtainingciphertext blocks C₁ _(—) 21936, C₂ _(—) 21940, C₃ _(—) 21944, . . . ,C_(n) _(—) 21950. The ciphertext blocks are concatenated one afteranother in that order to obtain ciphertext C_21951.

[0290]FIG. 24 is an explanatory diagram showing the correspondingdecryption process.

[0291] Ciphertext C′_21960 is divided into blocks C′₁ _(—) 21961, C′₂_(—) 21962, C′₃ _(—) 21963, . . . , C′_(n) _(—) 21964, each having 32bits.

[0292] C′₁ and an initial value FB′₀ _(—) 21965 are exclusive-ORed, andthe result is multiplied by 1/Bb_21966. The multiplication result is setas a feedback value FB′₁ _(—) 21969. The feedback value FB′₁ _(—) 21969is exclusive-ORed with an initial value FA′₀ 21967, and the result ismultiplied by 1/Ba_21968 to generate a feedback value FA′₁ _(—) 21970.The feedback value FA′₁ _(—) 21970 is exclusive-ORed with A₁ _(—) 21971to obtain a plaintext block P′₁ _(—) 21972.

[0293] The other blocks C′₂ _(—) 21962, C′₃ _(—) 21963, . . . , C′_(n)_(—) 21964 are also processed in the same way as C′₁ _(—) 21961 toobtain plaintext blocks P′₁ _(—) 21972, P′₂ _(—) 21976, P′3 _(—) 21980,. . . , P′_(n) _(—) 21985, which are then concatenated one after anotherto produce plaintext P′_21986. The plaintext P′_21986 is divided intoL′_21897, M′_21988, and Z′_21989. Furthermore, Z′_21989 is divided intoT′_21992 and R′_21993 so as to check the redundancy R′_21993.

[0294] (Fourth Embodiment)

[0295] As described below, a fourth embodiment of the present inventionprovides a cryptographic method capable of properly startingencryption/decryption processing without using information on the lengthof a message to be processed. Accordingly, the fourth embodiment makesit possible to perform cryptographic processing of data (message) of astream type, whose entire length is not known beforehand.

[0296] The fourth embodiment replaces the random number generation 2subroutine and the plaintext preparation subroutine in the encryptionprogram PROG1A, and the decryption program PROG3A employed in the secondembodiment by a random number generation 4 subroutine, a plaintextpreparation 2 subroutine, and a decryption program PROG6, respectively.

[0297] Description will be made of the process flow of the random numbergeneration 4 subroutine with reference to FIG. 29.

[0298] Step 40212 (input of necessary parameters): obtains the number nof message blocks making up a padded message, and a secret key K.

[0299] Step 40213 (generation of pseudorandom number sequence A): callsthe random number generation program PROG2 to generate a pseudorandomnumber sequence having 64*n bits and output it as a pseudorandom numbersequence A.

[0300] Step 40214 (division of pseudorandom number sequence A intoblocks): divides the pseudorandom number sequence A into blocks A₁, A₂,. . . A_(n), each having 64 bits.

[0301] Step 40215 (generation of random number B): executes PROG2 usingthe secret key K to generate a random number B having 64 bits.

[0302] Step 40216: if the value of B generated at step 40215 is 0,returns to step 40215.

[0303] Step 40217 (generation of random number Q): executes PROG2 usingthe secret key K to generate a random number Q having 64 bits.

[0304] Next, description will be made of the process flow of theplaintext preparation 2 subroutine with reference to FIGS. 30 and 31.

[0305] Step 40202: waits for input of an encryption-target messageM40300. The message is either input from the keyboard 10008 or read outfrom a RAM, or introduced from another medium.

[0306] Step 40203: adds padding to the message so that the length of themessage is a multiple of a predetermined number. Specifically, thepadded data (message) is set to have an integer multiple of 64 bits forsubsequent processing. When the length of the message M40300 is L bits,this step adds (64-L(mod 64)) number of 0s to the end of the messageM40300.

[0307] Step 40204 (addition of secret data): further adds 64-bit secretdata Q40302 to the end of the message M40300. The secret data Q40302 canbe known by only a person who holds or has obtained its key (or the keydata). The secret data may be a random number generated from the secretkey K. The above step 40217 performs this process of generating secretdata.

[0308] Step 40205 (addition of redundancy data): still further adds aredundancy R40303 of 64 bits to the end of the message M40300.

[0309] Step 40206 (division of message data into plaintext blocks):divides the data P40304 (the padded message) obtained at step 40205 intoblocks P₁, P₂, . . . , P_(n) each having 64 bits.

[0310] Description will be made of the process flow of the decryptionprogram PROG6 with reference to FIGS. 32 and 34.

[0311] Step 40402 (a data setting subroutine): waits for input of theinitial value V, the redundancy R, and the secret key K.

[0312] Step 40403 (a ciphertext preparation subroutine): waits for inputof ciphertext C′, and divides the given ciphertext C′ into a series ofciphertext blocks C′_(i) (1≦i≦n) each having 32 bits and outputs them.

[0313] Step 40404 (random number generation 4 subroutine): outputspseudorandom number sequences A_(i) (1≦i≦n) and B based on the secretkey K.

[0314] Step 40405 (decryption 3 subroutine): uses the pseudorandomnumber sequences A_(i), B, and Q, the series of the ciphertext blocksC′_(i) (1≦i≦n), and the initial value V to output a series of plaintextblocks P′_(i) (1≦i≦n).

[0315] Step 40406 (plaintext extraction 2 subroutine): combines theseries of plaintext blocks P′_(i) 40601 into three data strings M′40602,Q′40603, and R′40604.

[0316] Step 40407: if Q′40603=Q40302 and R′40604=R40303, proceeds tostep 40409.

[0317] Step 40408: outputs a rejection indication and proceeds to step40410.

[0318] Step 40409: stores M′ into a RAM.

[0319] Step 40410: ends the process.

[0320] Next, description will be made of the process flow of theplaintext extraction 2 subroutine with reference to FIG. 33.

[0321] Step 40502: removes the last 128 bits of the decrypted plaintext,and sets a plaintext block M′ to the remaining decrypted text.

[0322] Step 40503: sets Q′ to the upper 64 bits of the removed last 128bits obtained at step 40502.

[0323] Step 40504: sets R′ to the lower 64 bits of the removed last 128bits.

[0324] (Fifth Embodiment)

[0325] The above first through fourth embodiments of the presentinvention have a single-processor configuration, that is, they do notemploy parallel processing. A fifth embodiment of the present invention,however, shows that the present invention can be easily applied toparallel processing.

[0326] The system configuration (not shown) of the fifth embodiment isdifferent from that shown in FIG. 1 in that the computer A10002 employsboth a CPU 1 30004 and a CPU 2_30005 instead of the CPU 10004, and theRAM 10005 stores a parallel encryption program PROG4_30016 in additionto the components shown in FIG. 1. Furthermore, the computer B10003employs both a CPU 1_30017 and a CPU 2_30018 instead of the CPU 10015,and the RAM 10016 stores a parallel decryption program PROG5_30025 inaddition to the components shown in FIG. 1.

[0327] The computer A10002 executes the parallel encryption programPROG4_30016 to generate ciphertext C10022 from a message M10014 andtransmit the generated ciphertext C10022. Receiving the ciphertextC10022, the computer B10003 executes the parallel decryption programPROG5_30025, and if no alteration is detected, the computer B10003stores the decryption results into the RAM 10016.

[0328] The CPUs 1_30004 and 2_30005 implement the parallel encryptionprogram PROG4_30016 by executing the program read out from the RAM 10005in the computer A10002. The parallel encryption program PROG4_30016internally calls and executes the encryption program PROG1_10009 and therandom number generation program PROG2_10010 as its subroutines.

[0329] The CPUs 1_30017 and 2_30018 executes the parallel decryptionprogram PROG5_30025 read out from the RAM 10016 in the computer B10003.The parallel decryption program PROG5_30025 calls and executes thedecryption program PROG3_10020 and the random number generation programPROG2_10021 as its subroutines.

[0330] The other configurations and operations of the system are thesame as those shown in FIG. 1.

[0331] Description will be made of the process flow of the parallelencryption program PROG4_30016 with reference to FIG. 25. The expression“A∥B” denotes concatenation of two bit-strings A and B.

[0332] Step 40002: divides a message M into two parts, M₁ and M₂, inmessage processing performed by the CPU 1.

[0333] Step 40003: uses an initial value V+1, a redundancy R+1, a secretkey K, and the plaintext M₁ to output ciphertext C₁ in encryptionprocessing by the encryption program PROG1_10009 executed by CPU 1.

[0334] Step 40004: uses an initial value V+2, a redundancy R+2, thesecret key K, and the plaintext M₂ to output ciphertext C₂ in encryptionprocessing by the encryption program PROG1_10009 executed by CPU 2.

[0335] Step 40005: uses an initial value V, a redundancy R, the secretkey K, and plaintext (R₁∥R₂) to output ciphertext C₃ in encryptionprocessing by the encryption program PROG1_10009 executed by CPU 1.

[0336] Step 40006: generates ciphertext C (C=C₁∥C₂∥C₃).

[0337] Step 40007: stores the ciphertext C into a memory.

[0338] Description will be made of the process flow of the paralleldecryption program PROG5_30025 with reference to FIG. 26.

[0339] Step 40102: divides ciphertext C′ into three parts, C′₁, C′₂, andC′₃. C′₃ has 192 bits, and C′₁ and C′₂ has the same length, whereC′=C′₁∥C′₂∥C′₃.

[0340] Step 40103: uses the initial value V+1 and the secret key K todecrypt the ciphertext block C′₁ into a message block M′₁ and theredundancy R+1 in decryption processing by the decryption programPROG3_10020 executed by the CPU 1, and stores the message block M′₁ andthe redundancy R+1.

[0341] Step 40104: uses the initial value V+2 and the secret key K todecrypt the ciphertext block C′₂ into a message block M′₂ and theredundancy R+2 in decryption processing by the decryption programPROG3_10020 executed by CPU 2, and stores the message block M′₂ and theredundancy R+2.

[0342] Step 40105: if at least one of the decryption results obtained atsteps 40103 and 40104 is a reject, performs step 40111.

[0343] Step 40106: uses the initial value V and the secret key K todecrypt the ciphertext block C′₃ into a block and the redundancy R indecryption processing by the decryption program PROG3_10020 executed bythe CPU1, and stores the decryption result (the decrypted block) and theredundancy R.

[0344] Step 40107: if the decryption results obtained at step 40106 is areject, performs step 40111.

[0345] Step 40108: if the decrypted block obtained at step 40106 is notequal to (R+1)∥(R+2), performs step 40111.

[0346] Step 40109: lets M′=M′₁∥M′₂ (M′: decryption result)

[0347] Step 40110: stores M′ into a memory and performs step 40112.

[0348] Step 40111: outputs a rejection indication.

[0349] As described above, the fifth embodiment can provide parallelcryptographic processing using two separate processors.

[0350]FIG. 27 is an explanatory diagram showing the encryption processemployed by the above parallel cryptographic processing method.

[0351] M₁ _(—) 40141 and M₂ _(—) 40142 obtained as a result of dividinga message M40140 are added with redundancies R+1 and R+2, respectively,and denoted as blocks 40143 and 40144. The blocks 40143 and 40144 areencrypted by use of encryption processes 40146 and 40147 to obtainciphertext blocks C₁ _(—) 40149 and C₂ _(—) 40150, respectively.Further, a combination of the redundancies R+1 and R+2, which is set asa message, and another redundancy R are encrypted to obtain a ciphertextblock C₃ _(—) 40151.

[0352] The ciphertext blocks C₁ _(—) 40149, C₂ _(—) 40150, and C₃ _(—)40151 are concatenated one after another to output ciphertext C40152.

[0353]FIG. 28 is an explanatory diagram showing the correspondingparallel decryption process.

[0354] Ciphertext C′40160 is divided into three blocks, C′₁ _(—) 40161,C′₂ _(—) 40162, and C′₃ _(—) 40163.

[0355] The obtained blocks C′₁ _(—) 40161, C′₂ _(—) 40162, and C′₃ _(—)40163 are decrypted by decryption processes 40164, 40165, and 40166 toobtain plaintext blocks 40167, 40168, and 40169, respectively.

[0356] If the obtained plaintext blocks are accepted, and theredundancies included in the plaintext blocks 40167 and 40168 areidentical to the message portions of the plaintext block 40169, andfurthermore the redundancy included in the plaintext block 40169 isequal to the one shared beforehand, the message portions M′₁ _(—) 40170and M′₂ _(—) 40171 are extracted from the plaintext blocks 40167 and40168, respectively, and concatenated to obtain a message M′40172.

[0357] Any CPU capable of executing a program can be used for the aboveembodiments whether it is a general-purpose CPU or a dedicated one. Eventhough the above embodiments are each implemented by execution ofprograms by a CPU (or CPUs), dedicated hardware can be used for eachprocess employed, providing high speed and low cost.

[0358] Any of known pseudorandom number generators can be applied to theabove embodiments. The known pseudorandom number generators include apseudorandom generator using a linear feedback shift register (LFSR)with a nonlinear filter, a nonlinear feedback shift register, acombining generator, a shrinking generator, a clock-controlledpseudorandom number generator, a Geffe generator, an alternating stepgenerator, RC4, SEAL, PANAMA, the OFB mode of the block cipher, thecounter mode of the block cipher, and other pseudorandom numbergenerators using hash functions.

[0359] (Sixth Embodiment)

[0360] The above first through fifth embodiments each provides acryptographic processing method. A sixth embodiment of the presentinvention, on the other hand, shows that the present invention can beapplied to various information systems.

[0361]FIG. 35 is a diagram showing the configuration of a system inwhich computers A50016 and B50017 are connected through a network 50009for cryptocommunications from the computer A50016 to the computerB50017. The computer A50016 has a CPU 50007, a RAM 50001, and a networkinterface device 50008 therein. The RAM 50001 stores key-exchangeprotocol software 50002 for executing a key-exchange protocol, a publickey 50004 of the authentication center, a secret-key generation program50003, an encryption program 50006, and communication data 50005(corresponding to the message M in each embodiment described above) tobe transmitted using cryptocommunications. The computer B50017 has a CPU50014, a RAM 50010, and a network interface device 50015 therein. TheRAM 50010 stores key-exchange protocol software 50011 and a decryptionprogram 50013.

[0362] The computer A executes the secret-key generation program 50003to generate a secret key used for cryptocommunications with the computerB50017. The computers A50016 and B50017 executes the key-exchangeprotocol software 50002 and 50011, respectively, to share the secret keygenerated by the computer A.

[0363] After sharing the secret key, the computer A50016 executes theencryption program 50006 of the present invention to encrypt thecommunication data 50005 at high speed. The computer A50016 thentransmits the encryption results to the computer B50017 through thenetwork 50009 using the network interface device 50008.

[0364] The computer B50017 executes the decryption program 50013 of thepresent invention to decrypt received ciphertext at high speed torestore the communication data.

[0365] This embodiment shows that the present invention can providehigh-speed and safe cryptocommunications even when available hardwareresources are limited. That is, the present invention is capable ofrealizing a highly safe cryptocommunication system which is faster thanthe conventional cryptographic method, and provides confidentiality aswell as a mathematically proven alteration detection function.

[0366] (Seventh Embodiment)

[0367] The above sixth embodiment performs cryptographic processing byuse of software. A seventh embodiment of the present invention, on theother hand, shows that the present invention can be realized by hardwareimplementation.

[0368]FIG. 36 is a diagram showing the configuration of an encryptionapparatus employed in a cryptocommunication system using a network. Thecomputer 50110 has a RAM 50101, a CPU 50104, and a network interfacedevice 50105 therein, and is connected to a network 50106. The RAM 50101stores communication data 50103 (corresponding to the message M in eachembodiment described above) to be encrypted and a communication program50102, and the CPU 50104 executes the communication program 50102 tooutput the communication data 50103 to the network interface device50105. The network interface device 50105 includes a secret-keygeneration circuit 50107, an encryption circuit 50109, and akey-exchange protocol circuit 50108, and has a public key 50110 of theauthentication center stored in its memory area. According to theexecution of the communication program 50102, the network interfacedevice 50105 generates a secret key by use of the secret-key generationcircuit 50107, and exchanges the generated secret key with anotherdevice on the network using the key-exchange protocol circuit 50108 soas to share the generated secret key with the communication destinationdevice. The encryption circuit 50109 in the network interface device50105 encrypts the input communication data 50103 at high speed usingthe generated and then shared secret key to generate ciphertext, whichis then output to the network 50106.

[0369] This embodiment shows that the present invention can provide safeand fast cryptocommunications using limited hardware resources.Particularly, if this embodiment is combined with the cryptographicprocessing method of the second embodiment, more efficient and safecryptocommunications can be realized. This is because addition andmultiplication in the finite field F₂ ⁶⁴ employed in the secondembodiment are suitable for hardware implementation. The decryptionprocess can also be implemented by hardware in the same way.

[0370] As shown by this embodiment, the present invention can provide acryptographic method whose hardware implementation requires a smallnumber of gates or performs very high-speed processing.

[0371] (Eighth Embodiment)

[0372] By using a computer capable of performing cryptographicprocessing employed in the sixth or seventh embodiment, it is possibleto easily realize a contents delivery protected by encryption. An eighthembodiment of the present invention shows an example of a contentsdelivery.

[0373] As shown in FIG. 37, a storage device (whose medium is notlimited to a specific type, that is, it is possible to use asemiconductor storage device, a hard disk, a magnetic storage devicesuch as one using tape, or an optical storage device such as a DVD or anMO) storing contents 50201 as digital information is connected to acomputer 50202 capable of performing encryption processing according tothe present invention. An information reproduction device 50205 (an MPEGreproduction device, a digital TV, a personal computer, etc.) which isto reproduce contents and may be located in a physically remote place isconnected to an external coding device 50204 capable of performingdecryption processing according to the present invention. The computer50202 and the external coding device are connected to each other througha network 50203.

[0374] The contents 50201 is encrypted by the computer 50202 capable ofencryption, and then transmitted to the network 50203. The externalcoding device 50204 capable of decryption decrypts the encryptedcontents, and outputs the decryption results to the informationreproduction device 50205. The information reproduction device 50205stores and reproduces input information.

[0375] The contents 50201 handled by the information reproduction device50205 include not only electronic files but also multimedia data such ascomputer software, sound, and image. Contents which require real-timeprocessing, such as sound and movie, can be encrypted or decrypted athigh speed by applying the present invention, making it possible tosecure smooth real-time transmission. Furthermore, the receiving devicecan detect data corruption due to alteration or noise during thetransmission, ensuring communications free of transmission errors.

[0376] (Ninth Embodiment)

[0377] The eighth embodiment delivers contents by transmission through anetwork. When it is necessary to deliver a very large amount ofinformation, however, it is more efficient to deliver ciphertext on aDVD, etc. beforehand, and then transmit the decryption key at the timeof permitting the decryption of the ciphertext. Such a system isprovided by a ninth embodiment.

[0378] As shown in FIG. 38, contents are distributed to the consumer asciphertext, using a medium such as a DVD-ROM 50307, beforehand. Theconsumer enters information 50306 (money transfer information) onpayment for contents using a contents-key exchange program 50305 runningon the consumer's personal computer 50304. The contents-key exchangeprogram 50305 then obtains a key from a contents-key table in a keyserver 50302 through a network 50303. A decryption program 50308decrypts the ciphertext contents recorded on the DVD-ROM 50307 using theobtained key. The decryption results are output to the informationreproduction device 50309 which then reproduces the contents.

[0379] This embodiment may be configured such that the contents are notoutput to the information reproduction device 50309, and the personalcomputer 50304 itself reproduces them. In a typical example, thecontents is a program to be executed on a personal computer. The abovereproduction method of using a personal computer is efficient in such acase. When ciphertext contents recorded on a DVD-ROM can be divided intoseveral parts, and each part is encrypted using a different key, it ispossible to control keys transmitted to the contents-key acquisitionprogram 50305 so as to limit contents which can be decrypted by theconsumer.

[0380] The ninth embodiment was described assuming that data recorded onthe DVD-ROM 50307 is to be read out. Generally, a very large amount (afew tens of megabytes to a few hundreds of megabytes) of data is storedon the DVD-ROM 50307, and therefore a fast cryptographic processingmethod is required for processing such data. Since the present inventioncan provide high-speed decryption, the present invention is suitablyapplied to distribution of charged contents using a DVD medium.

[0381] (Tenth Embodiment)

[0382] In a tenth embodiment of the present invention, the presentinvention is applied to a router which controls packet transfer on anetwork. This router encrypts packets differently depending on thedestination router of each packet at the time of their transmission tothe network.

[0383]FIG. 39 is a diagram showing the configuration of a cryptographicrouter. The network router 50401 has a routing table 50402, a packetexchanger 50403, network interfaces A50404, B50405, and C50406, and aninternal parallel encryption/decryption device 50410 therein. Thenetwork interfaces A50404, B50405, and C50406 are connected to externalnetworks A50407, B50408, and C50409, respectively.

[0384] The internal parallel encryption/decryption device 50410 has asecret-key table 50411, a router-key storage area 50412, and a parallelencryption/decryption circuit 50413 therein.

[0385] A packet sent from the network A50407 is transmitted to theinternal parallel encryption/decryption device 50410 through the networkinterface A50404. After recognizing that the received packet isoriginated from the network A50407, the internal parallelencryption/decryption device 50410 refers to the secret-key table 50411to obtain the secret key corresponding to the network A50407, stores theobtained secret key in the router-key storage area 50412, and decryptsthe packet using the parallel encryption/decryption circuit 50413. Theinternal parallel encryption/decryption device 50410 then transmits thedecryption results to the packet exchanger 50403.

[0386] The following description assumes that this decrypted packetshould be transmitted to the network B. The packet exchanger 50403transfers the packet to the internal parallel encryption/decryptiondevice 50410. The internal parallel encryption/decryption device 50410refers to the secret-key table 50411 to obtain the secret keycorresponding to the network B50408, stores the obtained secret key inthe router-key storage area 50412, and encrypts the packet using theparallel encryption/decryption circuit 50413. The internal parallelencryption/decryption device 50410 then transmits the encryption resultsto the network interface B50405 which, in turn, transmits the receivedencrypted packet to the network B50408.

[0387] This embodiment is applied to an application used in anenvironment in which a large quantity of hardware resources areavailable and which requires cryptocommunications at very high speed. Inthe CBC mode of the block cipher in which parallel processing isdifficult to employ, it is difficult to enhance its processing speedeven when a large quantity of hardware resources are available. Incontrast, parallel processing is very easy to employ in the presentinvention (providing a high level of parallel operation) since thepseudorandom number generation process is independent from the plaintextand ciphertext processing. That is, the present invention can attain ahigher communication speed in the environment in which a large quantityof hardware resources suitable for parallel processing are available.

What is claimed is:
 1. A symmetric-key encryption method comprising thesteps of: dividing plaintext composed of redundancy data and a messageto generate a plurality of plaintext blocks each having a predeterminedlength; generating a random number sequence based on a secret key;generating a random number block corresponding to one of said pluralityof plaintext blocks from said random number sequence; outputting afeedback value obtained as a result of operation on said one of theplurality of plaintext blocks and said random number block, saidfeedback value being fed back to another one of the plurality ofplaintext blocks; and performing an encryption operation using said oneof the plurality of plaintext blocks, said random number block, and afeedback value obtained as a result of operation on still another one ofthe plurality of plaintext blocks to produce a ciphertext block.
 2. Thesymmetric-key encryption method as claimed in claim 1 , wherein saidencryption operation uses one or more said random number blocks whosetotal length is longer than a length of said ciphertext block.
 3. Thesymmetric-key encryption method as claimed in claim 2 , wherein saidplaintext further includes secret data of a predetermined length.
 4. Thesymmetric-key encryption method as claimed in claim 2 , wherein saidencryption operation performs a binomial operation or a monomialoperation using one of said plurality of plaintext blocks one or moretimes according to a predetermined procedure, combines a plurality ofobtained ciphertext blocks, and outputs the combined plurality ofciphertext blocks as ciphertext.
 5. The symmetric-key encryption methodas claimed in claim 2 , wherein said encryption operation includesmultiplication and addition in a finite field.
 6. The symmetric-keyencryption method as claimed in claim 2 , wherein said encryptionoperation includes a combination of a cyclic shift operation andarithmetic multiplication.
 7. The symmetric-key encryption method asclaimed in claim 2 , wherein said symmetric-key encryption methodemploys a pseudorandom-number generating means for generating saidrandom number sequence based on said secret key.
 8. The symmetric-keyencryption method as claimed in claim 7 , further comprising steps of:dividing said message into a plurality of message blocks; generating anumber of random number sequences equal to the number of said pluralityof message blocks using said pseudorandom-number generating means; andperforming parallel processing by assigning said plurality of messageblocks to one operation unit and assigning said number of random numbersequences to another operation unit.
 9. A symmetric-key decryptionmethod comprising the steps of: dividing ciphertext to generate aplurality of ciphertext blocks each having a predetermined length;generating a random number sequence based on a secret key; generating arandom number block corresponding to one of said plurality of ciphertextblocks from said random number sequence; outputting a feedback valueobtained as a result of operation on said one of the plurality ofciphertext blocks and said random number block, said feedback valuebeing fed back to another one of the plurality of ciphertext blocks; andperforming a decryption operation using said one of the plurality ofciphertext blocks, said random number block, and a feedback valueobtained as a result of operation on still another one of the pluralityof ciphertext blocks to produce a plaintext block.
 10. The symmetric-keydecryption method as claimed in claim 9 , wherein said decryptionoperation uses one or more said random number blocks whose total lengthis longer than a length of said one of the plurality of ciphertextblocks.
 11. The symmetric-key decryption method as claimed in claim 10 ,further comprising steps of: concatenating a plurality of said plaintextblocks to generate plaintext; extracting redundancy data included insaid plaintext; and checking said redundancy data to detect whether saidciphertext has been altered.
 12. The symmetric-key decryption method asclaimed in claim 11 , further comprising steps of: extracting secretdata included in said plaintext; and checking said redundancy data andsaid secret data to detect whether said ciphertext has been altered. 13.A symmetric-key encryption apparatus comprising: a circuit for receivingplaintext composed of redundancy data and a message, and dividing thereceived plaintext to generate a plurality of plaintext blocks eachhaving a predetermined length; a circuit for receiving a secret key togenerate a random number sequence, and generating a random number blockcorresponding to one of said plurality of plaintext blocks from saidrandom number sequence; a circuit for outputting a feedback valueobtained as a result of operation on said one of the plurality ofplaintext blocks and said random number block, said feedback value beingfed back to another one of the plurality of plaintext blocks; and anencryption operation circuit for performing an encryption operationusing said one of the plurality of plaintext blocks, said random numberblock, and a feedback value obtained as a result of operation on stillanother one of the plurality of plaintext blocks and another randomnumber block to produce a ciphertext block.
 14. The symmetric-keyencryption apparatus as claimed in claim 13 , wherein said encryptionoperation circuit uses one or more said random number blocks whose totallength is longer than a length of said ciphertext block.
 15. Thesymmetric-key encryption apparatus as claimed in claim 14 , wherein saidplaintext further includes secret data of a predetermined length. 16.The symmetric-key encryption apparatus as claimed in claim 14 , whereinsaid encryption operation circuit includes: a circuit for performing abinomial operation or a monomial operation using one of said pluralityof plaintext blocks one or more times according to a predeterminedprocedure; and a circuit for combining a plurality of obtainedciphertext blocks, and outputting the combined plurality of ciphertextblocks as ciphertext.
 17. The symmetric-key encryption apparatus asclaimed in claim 14 , wherein said encryption operation circuit performsmultiplication and addition in a finite field.
 18. The symmetric-keyencryption apparatus as claimed in claim 14 , wherein said encryptionoperation circuit includes a cyclic shift operation circuit and anarithmetic multiplication circuit.
 19. The symmetric-key encryptionapparatus as claimed in claim 14 , further comprising: a pseudorandomnumber generator for generating said random number sequence based onsaid secret key.
 20. The symmetric-key encryption apparatus as claimedin claim 19 , further comprising: a circuit for dividing said messageinto a plurality of message blocks; a circuit for generating a number ofrandom number sequences equal to the number of said plurality of messageblocks using said pseudorandom number generator; a plurality ofoperation units; and a circuit for assigning said plurality of messageblocks to one of the plurality of operation units and assigning saidnumber of random number sequences to another one of the plurality ofoperation units.
 21. A symmetric-key decryption apparatus comprising: acircuit for receiving ciphertext, and dividing the received ciphertextto generate a plurality of ciphertext blocks each having a predeterminedlength; a circuit for receiving a secret key to generate a random numbersequence whose length is longer than a length of said ciphertext, andgenerating a random number block corresponding to one of said pluralityof ciphertext blocks from said random number sequence; a circuit foroutputting a feedback value obtained as a result of operation on saidone of the plurality of ciphertext blocks and said random number block,said feedback value being fed back to another one of the plurality ofciphertext blocks; and a decryption operation circuit for performing adecryption operation using said one of the plurality of ciphertextblocks, said random number block, and a feedback value obtained as aresult of operation on still another one of the plurality of ciphertextblocks to produce a plaintext block.
 22. The symmetric-key decryptionapparatus as claimed in claim 21 , wherein said decryption operationcircuit uses one or more said random number blocks whose total length islonger than a length of said one of the plurality of ciphertext blocks.23. The symmetric-key decryption apparatus as claimed in claim 22 ,further comprising: a circuit for concatenating a plurality of saidplaintext blocks to generate plaintext; a circuit for extractingredundancy data included in said plaintext; and a circuit for checkingsaid redundancy data to detect whether said ciphertext has been altered.24. The symmetric-key decryption apparatus as claimed in claim 23 ,further comprising: a circuit for extracting secret data included insaid plaintext, wherein said circuit for detecting whether saidciphertext has been altered checks said secret data and said redundancydata to detect whether said ciphertext has been altered.
 25. A mediumstoring a program for causing a computer to perform a symmetric-keyencryption method, wherein said program is read into said computer, saidsymmetric-key encryption method comprising the steps of: readingplaintext composed of redundancy data and a message, and dividing saidplaintext to generate a plurality of plaintext blocks each having apredetermined length; receiving a secret key to generate a random numbersequence, and generating a random number block corresponding to one ofsaid plurality of plaintext blocks from said random number sequence;outputting a feedback value obtained as a result of operation on saidone of the plurality of plaintext blocks and said random number block,said feedback value being fed back to another one of the plurality ofplaintext blocks; and performing an encryption operation using said oneof the plurality of plaintext blocks, said random number block, and afeedback value obtained as a result of operation on still another one ofthe plurality of plaintext blocks and another random number block toproduce a ciphertext block.
 26. The medium storing a program as claimedin claim 25 , wherein said encryption operation uses one or more saidrandom number block whose total length is longer than a length of saidciphertext block.
 27. The medium storing a program as claimed in claim26 , wherein said plaintext further includes secret data of apredetermined length.
 28. The medium storing a program as claimed inclaim 26 , wherein said encryption operation performs a binomialoperation or a monomial operation using one of said plurality ofplaintext blocks one or more times according to a predeterminedprocedure, combines a plurality of obtained ciphertext blocks, andoutputs the combined plurality of ciphertext blocks as ciphertext. 29.The medium storing a program as claimed in claim 26 , wherein saidencryption operation includes multiplication and addition in a finitefield.
 30. The medium storing a program as claimed in claim 26 , whereinsaid encryption operation includes a cyclic shift operation andarithmetic multiplication.
 31. The medium storing a program as claimedin claim 26 , wherein said symmetric-key encryption method furthercomprises a step of: generating pseudorandom numbers to generate saidrandom number sequence based on said secret key.
 32. The medium storinga program as claimed in claim 31 , wherein said symmetric-key encryptionmethod further comprises steps of: dividing said message into aplurality of message blocks; generating said pseudorandom numbers so asto generate a number of random number sequences equal to the number ofsaid plurality of message blocks; and assigning said plurality ofmessage blocks to one operation unit and assigning said number of randomnumber sequences to another operation unit.
 33. A medium storing aprogram for causing a computer to perform a symmetric-key decryptionmethod, wherein said program is read into said computer, saidsymmetric-key decryption method comprising the steps of: receivingciphertext, and dividing the received ciphertext to generate a pluralityof ciphertext blocks each having a predetermined length; receiving asecret key to generate a random number sequence whose length is longerthan a length of said ciphertext, and generating a random number blockcorresponding to one of said plurality of ciphertext blocks from saidrandom number sequence; outputting a feedback value obtained as a resultof operation on said one of the plurality of ciphertext blocks and saidrandom number block, said feedback value being fed back to another oneof the plurality of ciphertext blocks; and performing a decryptionoperation using said one of the plurality of ciphertext blocks, saidrandom number block, and a feedback value obtained as a result ofoperation on still another one of the plurality of ciphertext blocks toproduce a plaintext block.
 34. The medium storing a program as claimedin claim 33 , wherein said decryption operation uses one or more saidrandom number blocks whose total length is longer than a length of saidone of the plurality of ciphertext blocks.
 35. The medium storing aprogram as claimed in claim 34 , wherein said symmetric-key decryptionmethod further comprises steps of: concatenating a plurality of saidplaintext blocks to generate plaintext; extracting redundancy dataincluded in said plaintext; and checking said redundancy data to detectwhether said ciphertext has been altered.
 36. The medium storing aprogram as claimed in claim 35 , wherein said symmetric-key decryptionmethod further comprises steps of: extracting secret data included insaid plaintext; and checking said redundancy data and said secret datato detect whether said ciphertext has been altered.
 37. A programproduct for causing a computer to perform a symmetric-key encryptionmethod, wherein said program product is read into said computer, saidprogram product comprising: code for causing said computer to readplaintext composed of redundancy data and a message, and divide saidplaintext to generate a plurality of plaintext blocks each having apredetermined length; code for causing said computer to receive a secretkey to generate a random number sequence, and generate a random numberblock corresponding to one of said plurality of plaintext blocks fromsaid random number sequence; code for causing said computer to output afeedback value obtained as a result of operation on said one of theplurality of plaintext blocks and said random number block, saidfeedback value being fed back to another one of the plurality ofplaintext blocks; and code for causing said computer to perform anencryption operation using said one of the plurality of plaintextblocks, said random number block, and a feedback value obtained as aresult of operation on still another one of the plurality of plaintextblocks and another random number block to produce a ciphertext block,wherein said program product is stored in a medium readable by saidcomputer for embodying said codes.